Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert if a syslog device does not send data in a rolling 24-hour period?

matthew_foos
Path Finder
‎09-13-2017 12:35 PM

Splunkers,

To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.

For example:
If host splunk1 does send data, no alert needs to be generated.
If host splunk2 does NOT send data, and alert must be generated.
This alert needs to have a hostname.

We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.
Search example:
index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host
This search string returns a count of 16 and it will always be 16 for this specific devices type.

Any advice would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-13-2017 03:18 PM

HI matthew.foos,
you should create a lookup with all the hosts you have to monitor in your perimeter (e.g. a lookup called perimeter.csv with one field called host), and the schedule an alert like this

| metasearch index=* 
| eval host=upper(host)
| stats count by host
| append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ]
| stats sum(count) AS Total by host
| where Total=0

You should check what is the minimum time period for monitoring because 24 hours probably is a too large period.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎10-01-2019 04:34 AM

Hi Richgalloway,

      Can i know what does this "where diff > 86400" trying to say in the query?
0 Karma
Reply
Solved! Jump to solution

decoherence
Explorer
‎10-22-2019 06:40 AM

The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!